IATC - Introduction to I Am The Cavalry - Day Two - Preparing for 2027

making our way down from a fantastic keynote you're going to hear from uh Dr Andrea mition in the bit but first we're going to recap um if this is your first time to the IM Cavalry track we tend to run a pretty curated experience a two-day experience where many of the speeches and guests and discussants are building upon each other for a common theme so we're going to if how many of you were here yesterday short hands okay how many you here the the Cory who was not here yesterday okay and for those at home on video or streaming we're going to do a really quick recap of where we are today so a tiny bit of summary from yesterday and

then we'll outline what you should see today so I am Josh Corman I'm one of the founders of I am the cavalry. org we found it right here upstairs at bsides Las Vegas in 2013 so give yourselves a round of applause for 11 years of Public Safety service all right that's a long time um last year we were at a bit of a Crossroads where we said okay it's been a decade in some ways we exceeded our wildest imagination on making the world a safer place where bits and bites meet Flesh and Blood uh and the world's getting worse faster so I pose to the group to each of you uh into our ranks of

volunteers across the world should we end it should we transform it into something new or should we combine it with other initiatives and we spent a good chunk of day two last year workshopping a few parallel possible Futures I told you all I'd take up to three months uh without working to try to make this hard decision and one year later those three months turned out to be a much harder decision so a couple things we said yesterday just as a level set if you zoom out even since last year and you look at our dependence on connected technology which was growing faster than our ability to secure it which is how we founded 2013 I've shifted

to a slightly different way of saying this to policy makers and we're going to have to shift yet again I'll try to be a little quicker than um intended initially so let me just go to this what's becoming clear to me is that this isn't just about hacking and cyber this could be accidents or adversaries but we are essentially having our neighbors and our communities and ARP and the general public increasingly inheriting our overdependence on undependable things where even accidents and adversaries can have a profound impact on Public Safety economic and National Security so the issue is we depend upon these things but they're not dependable and we're going to go through an adjustment period where this

unwarranted Trust on dangerous technology connectivity is exposed us now eventually we're going to right siize this and we're going to have a proportional dependence to dependability if you saw the executive order 14028 it was about in large part triggered by response to solar winds but there's a line in the intro that I'm quite fond of uh which says in the end the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is and to the consequences we will incur if that trust is misplaced so really this is about balance are we over dependent on Dependable things are we over trusting untrustworthy things and how much harm is this causing so I hope there's no

lies detected when I say to you that when you look at disruptions not confidentiality not breach records but disruptions to Lifeline critical infrastructure we have had more disruptions larger disruptions longer disruptions and more life safety affecting disruptions sometimes this has changed Healthcare where instead of hacking a single hospital or Hospital group you hack the payment Gateway upon which they all depend and 75% or more of us hospitals and pharmacies are disrupted for months right so that one to many the systemically important entity where we put more eggs in fewer baskets amplifying the cost of har so sometimes that's an over concentration of risk problem not a cyber problem sometimes it's too easy to hack these and sometimes those come

together now that was a hack crowd strike was not a hack and yet it did half a knot Peta of global damage right now pet was about 10 billion in initial estimates this was about 5 billion so a security product without malicious intent did half the harm of the largest recorded Cyber attack from a nation state so because this overdependence and undependable things our communities are now noticing these failures so we've been on the right track for a while we've been saying a lot of the right things we've been doing a lot of the right things the government is catching on too A lot of people in this room help cause the patch act to pass into law we

celebrated that last year this requires all FDA approved medical devices have to be patchable have to have threat models have to have a coordinated disclosure program to work with helpful hackers without fear of Retribution have to have machine generated s bombs or software building materials have to have a vulnerability management life cycle program all net new medical devices are going to be safer than their predecessors going forward it's just going to take 15 years for us to get rid of the really old bad ones and or longer in the secondary and tertiary markets so we have this period where we're over-dependent on undependable things we were prone and we were prey but we lacked Predator activity now we're in

the messy middle on the way to some of these positive policy steps and incentive adjustments getting us to a more defensible dependable future but in the middle is very very messy and it's going to get Messier so part of what we said is that we are over dependent on unmendable things last year I floated maybe we shouldn't try to do everything where bits and bites meat Flesh and Blood we should focus on the areas that are most acutely harmful to basic human life the bottom of M hierarchy things like the water you drink the food you put on your table the access to timely patient care for emergency care and power to make Society run so the water the food the emergency

care and the power are often own owned and operated by Target Rich cyber poor this last mile is neglected they don't participate in is acts they don't participate in sector coing councils they don't know what the 16 sectors are cpgs or nist or whatever Frameworks they don't have a single qualified security person on staff but they're probably providing your family clean drinking water so we don't want to become Preppers but we're in a very exposed State uh David may end the day today talking about Victory Gardens so that's a little bit of an Easter egg but these bottom M things the the water the food the the fuel for our cars our homes and our supply chains

Municipal Power the schools your children attend federal agencies challenge the state secrets and timely access to Patient Care with now proven mortal consequences so the other thing I had us reflect on yesterday is we knew during my keynote last year that we had seen out of the 7,000 hospitals that we used to track at the US level cross-continental uh land mass we knew there were about 7,000 and I saw this study and tracking from rural Hospital associations of 200 closures and now when you talk to policy makers they say we have 6,000 hospitals some of that's mergers and Acquisitions some of that's closures and conversions but we've lost about a th000 of the 7,000 across the country this one

depicts 200 yesterday both myself and Dr Christian nef pointed out there's a recent study on the financial solvency of these hospitals and they expect another 700 plus are either at the risk of immediate closure or at the risk of closure uh the slightly less urgent so they don't have money a typical small medium rural hospital has four to six weeks of uh cash flow on hand in the reserves 4 to six weeks is their maximum contingency plan and with several hundred r ransoms a year and even if it doesn't hit them it could hit change Healthcare which upon which they depend if a ransom can knock you out for 12 plus weeks or several months you're

not going to survive that you're either going to close or you're going to be weakened enough to be part of an acquisition and those Acquisitions only let you survive another day to be part of a much larger blast radius where a hack of a Ascension Health can hit plural States concurrently so we're kind of in a death spiral for your ability to get timely access to Patient Care and how many of those closures would have happened anyhow quite a few and people like us should maybe try to be a voice of reason to Advocate to do better than we have but how many of them are exacerbated by our insecurity on our connected technology now the reason this got heavy

yesterday and I'm going to ask you once again to get comfortable with discomfort just for one more day in this room we're going to have three uncomfortable conversations as as if this wasn't bad enough that trajectory line of more disruptions larger disruptions longer disruptions and more life safety disruptions have largely been accidents and financially motivated adversaries but we knew in January that the top four cyber Chiefs for us defense from NSA FBI sisa and Office of the national cyber director in unclassified briefings told Congress of volt typhoon an example of what they call pre-positioning where we have found and evicted uh Chinese military actors from our own water and wastewater treatment facilities they're Swiss chese so it's

not surprising they got in but unlike a ransom crew the goal would not be to monetize this this access they currently have but rather to do destructive work so why 2027 if you haven't seen the hearings please watch them and educate yourself we don't want hyperbole but um their leadership has announced publicly they have intentions regarding Taiwan as early as 2027 and part of this campaign is to make sure the US stays out of it so as a deterrent or maybe as a warning shot and a brushback pitch where we to get to involved but potentially as well to do pretty serious destruction and if you listen to anything yesterday we know no water means no

hospital very quickly we know our concentration of risk on food supply is affected by these things so these four basic lifelines are more exposed than I'm comfortable with and more exposed than you should be comfortable with and whether you think the federal government's going to fix this or not we don't have a military to defend civilian infrastructure that's prone nor do we have time in the next two and a half years to make these things unhackable but there are things we can do so whether it's China in 2027 28 29 or never you know the good news is we have some time like we did with Y2K or like we did with the CIS Co task

force but the bad news is it we have two two other conflicts on the world stage in Israel Gaza and in Ukraine so whether it's the Russians get pushed into corner and want to disrupt our fragile infrastructure Iran like we saw with cyber Avengers or some sort of capability heck uh North Korea we're in a place where yes maybe we have a formidable Roman Empire but whether you attack the city or you attack the aqueducts you can do some pretty serious cascading harm and we heard some great things from Dean yesterday about water supply and castigating harm so we don't always get the time we want and the resources we want but we do get creative in The

Crucible of necessity so whether it's the Apollo 13 true story not the fictionalized whether it's what we marshaled for Y2K a success story not a false alarm that was how I started my career we have a lot of Target Rich cyber poor owners and operators of critical infrastructure in Rural America a lot they can't just do best practices so in one of the sessions I'm going to be joined by official from the White House Office of national cyber director who was also part of the Sisco task force prior to assignment there and we did not have three years to just do Implement zero trust or just do best practices when we found vulnerable weak links in the

vaccine Supply chains and night trial gloves and mac and cold chain and cold storage for medical supplies we had about 3 months so if you can't do anything for 3 years what can you do in 3 months and the answer was a lot you just have to get really practical so we'll probably talk about some of these things together in the second block David etu and I gave a talk like this at RSA called getting serious you can watch the recording and in it we kind of had um some hi coup about this but this is mostly aimed at SOS and corporate to see what assumptions do you have a lot of people say well if we had

an act of War you know we have uh insurance for that and they all forget things like I don't know exclusions for acts of War um so some of our top controls and risk acceptance or risk transfer tend to be the assumptions of insurance and insurability so if you're in your day jobs and you care about that stuff go watch that talk back to why we're here yesterday's thesis was let's get an update of how much more has happened in the last 12 months since last gathered here in the desert so we had an update from on food supply hungry hungry Hackers from sick codes uh and LP and they talked about how little flaws can have a pronounced

impact on the industry and how cascading failures on our over concentration of risk can do so if you didn't see it please watch it that was followed by fantastic talk by Dean Ford are you here there's Dean Dean is a water engineer or an engineer who works in the water and wastewater he's not a hacker but he's been coming here now for the third year he's a treasure and he's leaned into us and we've leaned into him and he helped us understand how vulnerable water is not just to shutting it off but maybe doing destructive longlasting attacks and we walked us through some Socratic cascading failure exercises that were mindblowing so make sure you get a chance to watch Dean we then heard

from Dr Christian nef quati grew up going to hacker cons for the last 20 years and somewhere in the middle went to law school not law school med school and became a physici and helped us found cybermed summit.org where we do live ER hacking simulations and now he's working at UCSD on a cyber Center and oura H Grant and he shared how overdependence we are in clinical Care on technology and there's no going back but that the trend lines are not good and a really impassionate and very personal more personal I've ever seen him yesterday on where we have found ourselves and what we can do about that and then lastly for our four updates we had Dr Emma Stewart talking

about power Emma's the uh Chief scientist for the grid and a lifelong uh expert on electricity and she helped walk us through two scenarios and tabletops she's trying to do for National Security and National capacity including a hard reboot of the grid with increasingly connected technology complicating that called a black start and we begged her to do her second scenario in the choosey Adventure which was essentially a crowd strike crowd struck like scenario on all the inverters for all solar panels and Junctions across the grid both of them are pretty terrifying so with those four we got updates of what's happened in the last 12 months but then we also asked each of them if you saw a volt typhoon like

destructive scenario what's our tolerance levels to that so that's what we walked through yesterday and then I announced a new initiative that I'll try to wrap up so I had a very hard time making decisions on behalf of a bunch of volunteers so the Cavalry can continue to act independently but I announced a new project for uh as of yesterday so let me tell you quickly about that um Craig Newark did not know what the Cavalry is Craig Newark Craigslist we met earlier this spring uh especially when I was prepping for the getting started workshops at the RSA conference and I'm going to give you the why the what the when the how of this

pilot that Craig is funding through IST The Institute for societ uh security and technology so I've accepted um to run a project for oneyear pilot we hope to extend and I'll tell you how it was constructed is distinctly as possible the why as I started to tell you we are over dependent on unmendable things and it's starting to be noticed by our families and our neighbors and our communities which means we are failing them it's not entirely our fault but on our watch the conversations we've been having in Industry have not been enough the last five plus years of conversations we've been having that are fruitful with public private Partnerships with the government are not

enough or rather they're going to take longer to manifest the intended yield and in the meantime in this messy middle this over dependence is rearing its ugly head in ways that none of us should be comfortable with so that's the why we need something new and creative the what it's going to be focused on if the the total project we focus on the water you drink the food you put on your table emergency care and access to it and power especially in Municipal settings The Last Mile the grids are much more resilient than every individ community in which you live and we're not just looking at these in silos we're going to look at the

cross sector dependencies and interdependencies so failures in any one of them can have Ripple effects to all of them so these basic lifelines are the what the when well we're adding some urgency whether it's exactly 2027 or just a great Catalyst to to innovate in whether it's volt typhoon type disruption more accidents like like crowd strike if we have a war it will be a hybrid war and we know how vulnerable our infrastructure is so we're adding essentially a forcing function to see what can we do prior to 2027 and working backwards and the how we're going to have to try some different things so I'm taking a page Andre and I have been talking since

even before the Cavalry existed if you saw her fantastic keynote cyber terms and even resilience terms which is the right term of Art in our sector for these availability and continued access to Lifeline critical infrastructure Services these have no precedence in law per se they don't know what resilience is but they know what safety is they know what safety engineering is they know what Safety Science is our neighbors don't know what resilience is but they know what safety is you know when we said we're bits and bites meat Flesh and Blood we were on to something but we are continuing to workshop and refine our language for average citizens so in this particular case we're going to take given the short

time frame and the high consequences we're going to take a page out of disaster science and natural disasters and we're going to do what you might do for hurricanes so a hurricane is a natural disaster and we might not be able to stop it and it's going to make landfall but what we can do is inform influence Inspire what we have in our case are not natural disasters they're unnatural disasters and it's going to take us a while to work through them so they're not identical but in the inform influence and fire the more consequential a thing the more forthright we have to be and that doesn't mean talking amongst ourselves it doesn't mean talking to

policy makers it means talking to the people who will bear the costs of those failures what that means is it is a sin to exaggerate and it's a sin to downplay so we got to say what we know say what we don't know and level with people so they can make make inform risk decisions where they are with what they have that's the inform the influence is give them the best possible corrective actions as we can see them with the available time and resources so ideally maybe it's not Implement zero trust over the next 10 years for your water and waste facility maybe it's not Shields up maybe it's connections down and maybe if they can't do the

ideal risk mitigation then we give them next best Alternatives and then on the Inspire we're going to have to stay in constant communication and update each other for what's working and what's not working and encourage that if we stay in tight communication and we act on the best available information we're going to be okay so inform influence Inspire and learn from disaster management and disaster science and most importantly these are not technology issues these are hearts and minds and awareness issues so the bulk of this pilot from Craig Newark at IST that I'm going to lead is a creative arts budget we're going to do ab testing to find the love language to meet people where they are

understand how they talk understand what they care about and make sure the the way we're approaching them the language we use whether it's explainer videos or propaganda from World War II memes or reality television shows we're going to put everything on the table to find a way to reach and inform influence Inspire the safest possible outcomes for these communities so this project is not required of Cavalry people but we knew that you would be one of the first and best here at bsides where it's the protectors and the puzzlers As We Gather in the desert uh working title for this project announced yesterday is um undisrupted 27 so in the face of increasing disruptions more longer disruptions

larger disruptions more life safety disruptions no matter what harms are thrust Upon Our critical infrastructure for food water urgent care and power can our communities do the best they can to be undisrupted or at least less disruptable so I'm asking each of you to consider what you can do to either help this new Mission but more importantly get really selfish for a minute are you prepared for your household and I don't mean become a prepper but is not a Herculean effort in the unlikely event of a water landing we know what to do every time we get on an airplane in the unlikely event of a water landing so similarly if we were to have some disruption even temporary

disruption to water supply how have you taken steps in your own household to make sure that you are less of a drain on the community resources that are scarce and more importantly that you are willing and able and refreshed to help in the incident response with your natural skills so if this uh is interesting to you there's a slack group we're just getting started and I think there's going to be a lot more resources here uh Craig seems very moved other Phil philanthropic groups seem very moved and we recognize we're gradually doing a lot of the right things including Andrea's proposal for a new regulator of Last Resort but there's going to be a messy middle so again

we're going from the over dependence on unal things to a maybe more proportional dependence state in the future the next few years are going to be bumpy so we're asking you to simmer in your discomfort today and tomorrow there'll be three uncomfortable conversations first with Andre mattion building upon her fantastic keynote to show that we have not done a very good job professionalizing and we've been so anti-pr professional that if we don't set standards or have normal citizens and Municipal leaders know how to spot the helpers then these get defined for us so I can't wait to see how provoking that conversation is the middle uncomfortable conversation will be about times up I'll be co-

facilitating with white house oncd for a two-hour block I believe they're here in their official capacity to look talk through some of the implications of campaign's light volt typhoon and making the top five list for SC magazine we're going to close out the day with Bo woods and Carl on Wars rumors of wars and what we can track Tang do about it um through this exercise for the next couple hours so thank you for being in the room thank you for being open-minded please be uncomfort be comfortable in your discomfort because there are things we can do in the next couple years we just have to make sure that we're paying attention trying things and making sure

our communities are as resilient as possible if your household is okay perhaps your city can be okay perhaps your county can be okay and perhaps we can share successful tabletops and education mechanisms and Tech Solutions and we hope to tease those out through the rest of today so with that I'm going to wrap up but I look forward to working with you on this new project thank you [Applause]